Krebs on Security

In-depth security news and investigation

Mail from the (Velvet) Cybercrime Underground

Over the past six months, “fans” of this Web site and its author have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares.

But the most recent attempt to embarrass and fluster this author easily takes the cake as the most elaborate: Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police. Thankfully, I had already established a presence on his forum and was able to monitor the scam in real time and alert my local police well in advance of the delivery.

This would-be smear campaign was the brainchild of a fraudster known variously online as “Fly,” “Flycracker,” and MUXACC1 (muxa is transliterated Russian for “муха” which means “fly”). Fly is the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

On July 14, Flycracker posted a new forum discussion thread titled, “Krebs Fund,” in which he laid out his plan: He’d created a bitcoin wallet for the exclusive purpose of accepting donations from other members. The goal: purchase heroin in my name and address from a seller on the Silk Road, an online black market that is only reachable via the Tor network. In the screenshot pictured above, Flycracker says to fellow members:

“Guys, it became known recently that Brian Krebs is a heroin addict and he desperately needs the smack, so we have started the “Helping Brian Fund”, and shortly we will create a bitcoin wallet called “Drugs for Krebs” which we will use to buy him the purest heroin on the Silk Road. My friends, his withdrawal is very bad, let’s join forces to help the guy! We will save Brian from the acute heroin withdrawal and the world will get slightly better!”

Together, forum members raised more than 2 bitcoins – currently equivalent to about USD $200. At first, Fly tried to purchase a gram of heroin from a Silk Road vendor named 10toes, an anonymous seller who had excellent and plentiful feedback from previous buyers as a purveyor of reliably good heroin appropriate for snorting or burning and inhaling (see screnshot below).

Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”

For some reason, that transaction with 10toes fell through, and Flycracker turned to another Silk Road vendor — Maestro — from whom he purchased a dozen baggies of heroin of “HIGH and consistent quality,” to be delivered to my home in Northern Virginia earlier today. The purchase was made using a new Silk Road account named “briankrebs7,” and cost 1.6532 bitcoins (~USD $165).

Flycracker ultimately bought 10 small bags of smack from Silk Road seller “Maestro.” The seller threw in two extra bags for free (turns out he actually threw in three extra bags).

In the screen shot below, Fly details the rest of his plan:

“12 sacks of heroin [the seller gives 2 free sacks for a 10-sacks order] are on the road, can anyone make a call [to the police] from neighbors, with a record? Seller said the package will be delivered after 3 days, on Tuesday. If anyone calls then please say that drugs are hidden well.”

Last week, I alerted the FBI about this scheme, and contacted a Fairfax County Police officer who came out and took an official report about it. The cop who took the report just shook his head incredulously, and kept saying he was trying to unplug himself from various accounts online with the ultimate goal of being “off the Internet and Google” by the time he retired. Before he left, the officer said he would make a notation on my report so that any officer dispatched to respond to complaints about drugs being delivered via mail to my home would prompted to review my report.

Meiklejohn and fellow researcher Damon McCoy, an assistant professor of computer science at George Mason University, have been mapping out a network of bitcoin wallets that are used exclusively by the curators of the Silk Road. If you wish to transact with merchants on the Silk Road, you need to fund your account with bitcoins. The act of adding credits appears to be handled by a small number of bitcoin purses.

“All Silk Road purchases are handled internally by Silk Road, which means money trades hands from the Silk Road account of the buyer to the Silk Road account of the seller,” explained Meiklejohn, author of the paper, A Fistful of Bitcoins: Characterizing Payments Among Men with No Names, to be released in October 2013 at the ACM Internet Measurement Conference in Barcelona, Spain.

“These accounts aren’t visible on the bitcoin network though, so the only thing we can even hope to see by looking at the public transactions is when money goes into and comes out of the set of addresses that represent the collective account balances of all silk road users,” Meiklejohn wrote in an email to KrebsOnSecurity. “By manually tagging a handful of silk road addresses (via direct interaction) and then bootstrapping using the heuristic I described to label many more (around 250,000 in total), we are able to achieve this second goal by identifying addresses in the network that are ‘owned’ by silk road.”

In short, we can see that Flycracker’s Krebs Fund wallet was used to deposit 2 bitcoins into a bitcoin wallet controlled by those who maintain the Silk Road marketplace, but we can’t say for certain whether he used that credit to make a purchase.

THE DELIVERY

A thin package containing what appears to be packets of some white powder was delivered to my doorstep Monday, a day earlier than Flycracker had told his buddies that it would arrive. The package was hand-delivered by our local postal carrier, sent in a thin USPS Express Mail envelope that was postmarked from Chicago. Inside was another blank envelope containing a May 2013 copy of Chicago Confidential, a weekly glossy magazine from the Chicago Tribune.

On the back of the magazine, taped to a full-page ad for jewelry from LesterLampert, were a baker’s dozen individually wrapped packets emblazoned with the same black and gold skull motif that was on Maestro’s Silk Road ad. I guess the seller in this case was worried that 12 packets didn’t quite meet the 1 gram measurement for which Flycracker and his goons paid, so he threw in an extra one for good measure.

13 packets of what appears to be heroin arrived at my home via the Silk Road on July 29, 2013.

I wasn’t planning even to touch the individual packages, but curiosity got the best of me. Before calling the cop who took my initial report and letting him that know he could come and retrieve the parcel, I had a look inside one of the packets. But not before donning a particulate face mask and a pair of disposable gloves. Hey, I watch Breaking Bad: Safety first!

Without actually having the substance tested at a lab, I can’t say for certain whether this is talcum powder or the real thing. The cop that came to collect the package said he had a drug field test kit in his squad car but then discovered he was out of the heroin tests (I’m not sure what that says about the heroin problem in Northern Virginia, but I digress). Frankly, I’m willing to give the seller the benefit of the doubt, given that Maestro currently has glowing feedback from almost 100 other buyers on Silk Road. Nevertheless, if I receive any testing results from the local police, I’ll update this blog post.

It’s not every day your enemies deliver drugs to your door. I’m pretty sure they don’t teach you about this stuff in journalism school (not that I went or anything).

Just who is this Flycracker mischief maker? That will have to wait for another post. Stay tuned.

137 comments

and easy to speak of the lives of others [hackers, carders, botmasters]
you [Krebs] invade the forum these guys and find that they do not go doing anything?, it would be foolish on your part
be realistic, you are at risk talking shit about these guys
this minimum and that they can make in relation to you,
Now, imagine if it was a bomb?, what do you think? [Krebs]
would be surprising if some hacker will not do this someday
good luck with your work, the risks are increasing lol;

wow, that was chool to see what bad dydes are do. Well I hope some one will write intresting article about that, methods etcs and results. What chould go wrong if they notiched that some one are see what thay are doing.

A few things spring to mind though. What if you hadn’t been a member that forum and hadn’t cottoned on to what was going on before hand? Also, I didn’t quite catch, did the phony phone call ever get made?

The hostage situation and the drugs do seem to be a pattern of escalation from paying bills with stolen credit card numbers.

Aside from starting to need a good “working relationship” with your local PD, one which almost certainly doesn’t have the bandwidth (or probably the capability) to investigage these issues. On their own, the offences these people are comitting are probably fairly minor, I don’t know what the US equivilent is of Class A drug supply, wasting police time, theft and harrassment is but over here (UK) for that amount of drugs and theft below £5000 although they’re indicatble (previously we used to call them felonys) offences I can say with some knowledge that that whole lot doesn’t get hearts beating at the crown prosecution service.

Do you have a strategy for what to do next?

I’m not suggesting giving it away (or that you need telling) but it might help to have a plan should this escalation continue. Sorry to say it but in a roundabout sort of way, the coverage you get does also help sustain the ego’s of these self important, to use a specific Americanism, douchebags.

Brian, you have definitely been providing the internet community a great service with your stories about all kinds of malicious behavior such as identity theft, online fraud and so forth. This story is just another testament to the impact of your work on uncovering such criminal activity and educating people about these issues.

Sadly, you have become the target of extremists who feel threatened by your research & writing.

How long will you be able to keep up the resistance? How long until you or your beloved ones will get hurt?

You are doing a noble job, and fighting against the outrageous actions of shady individuals. This requires a lot of courage, so I only have a lot of respect for what you have accomplished so far and continue to do. It is just so sad that you have to fear for your own safety (and, I guess, the safety of your family).

I wish you all the best and keep my fingers crossed you get out of this one unharmed.

why the hell did you open that package? you want to stay completely clean, don’t you? why put ANY doubt in the minds of law enforcement? I would have handed it over, unopened, period. Best of luck going forward with these creeps, you’re doing a super noble service. Thank you.

Brian, my prayers are with you. Please don’t take this lightly as you may want to consider security details by notifying authorities as to your whereabout all the time. Your enemies are not all in Moscow.

Seriously? Why the hell would anyone want to do this.
That said, I’ve had some “strange stuff” ™ show up recently and attract the wrong sort of attention from Da Feds.
In my case it wasn’t the plastic baggie with the YO, nor the LEDs but a small envelope containing very fragile plastic heatsink composite that got clobbered.
I’ll let you know if my experiment works though, if it does you may well read about it on arXiv.

This is domestic terrorism, as per the Oklahoma Anti-Terrorism Act section 3 (b), and identical to a fraud involving the kidnapping of a child from Nortel Networks employees in 2001 (which is still ongoing).

It’s a brave thing that Michael did to notify the public to this level of sophistication AND to police reluctance to treat such activity any less seriously than anthrax attacks or pipe bombs. In this case, Krebs was not hurt, but other people HAVE BEEN and in fact hostages have been taken using very similar methods, which law enforcement cannot deal with effectively in the United States right now.

Freight, honestly, it’s because hunting people who do this down and lynching them is the only solution sometimes. Especially when they prey on children, traffic in child sex, and seek to influence business in the United States by terrorism.

Our response has been to pull all standing to countries and States supporting the abuse, like Detroit MI, and vacate the patents of countries who shield the activity under the Berne Convention as non-conformity aiding war crimes activity in direct threats against the public. This is, generally, why law enforcement has never had a need to act in the Midwestern U.S. – because of provisions that permit use of lethal force where law enforcement opts out of their obligation to act.

Similar threats to rape and murder my (female) British / Chinese counterpart in a similar pattern led us to arm our staff and track these groups (and their supporters) as terrorist elements in the United States, France, Germany, Ukraine, and Russia.

State law supersedes Federal and Foreign law in these matters, and documentation for archival tracking of such activity is the best solution. Of course it ruins the lives of people who aid the enemy and engage in crime, but frankly, that’s the cost of supporting terrorist activity and trying to understate the serious criminal felony nature of mail fraud, wire fraud, and extortion by foreign organized crime. Extradition is for people who give a damn about law. When fighting criminals, outside domestic jurisdictions, why should any person so targeted by *serious* fraud respect foreign law in protected retaliation (Fourth Geneva Convention, right to retaliation so secured 100% without limitation in acts of war to include targeting of civilians and framing of felony crimes to deprive them of property and liberty).

The acts of these Russian Citizens have damaged the Russian Federation and its Citizens right to commerce by this abuse, and should be dealt with. To expect a security officer to be silent where the very nature of the threat is to impersonate them or defraud them or conduct commerce in their name, is insane. This is not private. This is a matter of public trust and public interest in fraud and conspiracy to file a false police report to suppress investigative legal action of a free press. It deserves maximum attention, and to anyone sending threats to those persons named, the death penalty in whatever ‘justifiable’ form is required of the (local, victim’s) jurisdiction.

The acts of this sort of fraud effectively (by legal act under color of law) kill people and seek (clearly) to jail the target unlawfully in a frame-up.

Juris prudence dictates we kill em right back (literally if necessary, as that is lawful in my State and others).
No right to privacy in such fraud exists, and the reliance upon reliable witnesses to evade the denial activity in psychological operations is justified. Because as stated prior, the law enforcement arm of the United States and its member-states are not skilled in this area and ineffective warfighters where sophisticated fraud and extra-judicial communication and operations are involved. At no time is provocation an excuse for the premeditated act executed in this format, and it should be instead framed as an effort to frame an American Citizen on American soil in context to sabotage of U.S. security.

Russia can deal with the behavior, or we can deal with Russia – take your pick. The same applies to all States, Counties, and individuals who wish to become combatants by denial, suppression, or in acts to promote fear of reprisal. To quote Stalin – if you eliminate enough people (economically) you will find the guilty party and punish them. The only question is, who wants to get in the way and what excuses would you like entered on the record of such action?

For posterity, of course.

Law enforcement has failed. That doesn’t mean the public has no right to know. In fact, public release of data is the only form of defense from complicity in such matters (see “The Convention on the Prevention and Punishment of the Crime of Genocide”).

This has all happened before. Silence is all that will let it happen again. Let us not pray for silence, and stand by the people targeted by this “Progressive” social-justice (socialist) sort of crap. It’s not a joke. And in this country, even one of those bags could be a felony if the plot had not been uncovered, destroying the ‘commercial validity’ of the target in economic sabotage activity with commercial aspects of fraud that can be (with full disclosure) traced directly to banking interests and service offers (laundering of money into the IT sector by IT criminals, including intimidation of competitors using traditional methods). Study the mobs of Chicago (1920s) and you can see how little good it does to “rely on the police to fix this”. This is a community problem. It demands a community solution.

Speaking out about the crime and the evidence of such stalking (18 U.S.C. 2261A) and wire fraud in the name of the target (18 U.S.C. 1030) is a start.

And if they threaten witnesses, we escalate legally to economic and intellectual property sanctions to include termination of export and license technology to the affected regions combined with industry boycotts and expose coverage of the financial relationships and national security issues. Until it ends. Until someone ends up dead. Or it stops.

What you do with your computer and your drugs is your business. But when you ship them to a person to extort and intimidate them, it becomes a community issue and a national law enforcement question. The sort of thing that strips countries unwilling to employ enforcement of all right to say anything further about the security of the Internet or access (peering) rights to lucrative markets. Read Gibson. Understand, it’s not too late to shut this thing down and blockade a country, or walk away from government control and break up the ol’ Internet Republic into Intranets. If government cannot regulate abuse, then private networks may be a viable alternative for elite and security-conscious carriers. Leaving everyone else in the ‘dirt’ so to speak, of the old lawless money-starved public IP.

There’s no such thing as ‘anonymous’. It’s just a question of how far they chase you (THX-1138).

The goal of such publicity is to STOP young dumb bastards from thinking this is a joke or they can get away with things like this without consequence. The rule of socialism goes both ways – and when a Russian hits an American, holding all Russians responsible, like all Nigerans were for awhile, makes perfect sense in the same logic. It’s not fair. But (pursuant the Fourth Geneva Convention) that’s the lawful prescribed response to ‘unfair’ activity at that level.

After 10 years of threats in child abuse, I can tell you, “get the bastard” is a much better plan than “hide and hope it goes away”. Unless you side with the pedophiles who profit most from this sort of fraud.

It’s only idiotic to resist if you believe the ‘victim’ won’t shoot you in the kneecaps and bury you in the back 40 by an anthill in Indian Country (Oklahoma). Claims by these morons and pushers that they are ‘victims’ and have a ‘right to retaliate’ that ruin people’s lives, deserve nothing less than full disclosure. What is it that Anonymous is so fond of saying? “We Never Forget, We Never Forgive?”

Or as my friends are fond of saying, “So that you don’t forget our promise, we left a heavy stone reminder over your bed to help you remain in your corner.”

Security means someone must report why things finally ended. Leave the visitation and notification service to their own devices. So someone doesn’t whisper in your ear like dear Pablo Escobar.

Common sense, in our community, means that when someone calls for help legitimately we come to their aid. Not ‘shhhh” them like children. And if someone calls for aid and lie, they pay the price. As do their children and community, for that fraud before the public trust. These fools spent your credibility, if you are Russian, and you should accept that. You good name is the casualty already, in such plots and plans. Learn to protect your good name like adults and stop the people behind the fraud, or share in it. Your choice. “You get what you deserve,” no?

The only ill effect of dealing with issues like this is the waste of brass. And the nation that loses a mother or father to criminals and pimps like those responsible.

The correct response to anyone affiliated with that ideology that for an instant threatening these people is a good idea, can let God sort them out – provided we let Him have the pieces the pen hammer doesn’t keep. It won’t be quick, and I can guarantee that.

I can also attest that it’s hard to gum a rat to death after a conversation on such ideas of ‘retaliation’ as a risk to public speech or cooperation in prosecution of a terrorist cell – Russian, Ukrainian, or domestic.

The prior comment is nothing but a veiled threat, and I find that amusing. It’s the same passive tone used in all the threats we receive, and typical of the legally vapid lack of understanding of 76-9 protections in the United States reserved by our people in self-defense.

God, how that comment makes Russia look stupid. “martyr”… really? You must share the same playbook. Psychological denigrating remarks and all. The language of terrorism, is a soft voice alluding to a warning. The language of Freedom is a smoking gun and a dead terrorist. The “private life” comment especially – classic FSB style. Hable Amercanski, buuuuuuuuuuuuudy?

Seriously, these sort of comments are just childish. It must be something in the water. Or maybe the heroine. Or all the time spent with little underage boys that make this sound like an adult concern to you. IRL? What the Hell. Were you born in the 90s?

Confusing the Internet for not-real-life, or unrelated the rules, regulations, and laws by which adults live and work, is the first sign of an unstable mind. And attacking the mental capacity of a person, the first step in Soviet society since Lenin and Stalin to ad hominem abuse in psychological operations.

By your own words, we know you.

Security is key, when treason and rebellion are confused by the weak of mind. Stay sharp Brian. These little peckers think they are “real professionals” thanks to their rubber-subby stamps from hoc universities, and really get pissed when someone pays attention to anyone but them. Ego disorder of some sort, I guess, but symptomatic of the post Defcon era. They think what they see in the movies is real, and what they see in real life is imitation of that – not vice versa. Sad little (television) world they live in. The Nintendo generation of crime, raised on GTA and prestige for things that get you dead in real life.

Talking about some thug is not one of those things. Or talking about the brave men and women of the espirit de corps among actual security professionals.

If you are afraid to be identified off the battlefield, you have already lost. If you are a ghost, you shouldn’t be writing. Very few people walk in both worlds and live. Clearly you aren’t a ghost. So leave the wetwork to us. You just call targets. Keep feeding coordinates. Let the Boys of Fort Sill do their work.

I’ve been there a few times and have friends there. The Russians I know are good people. It’s unfortunate, though, that so many extremely weak morally bankrupt programmers are Russians and Ukrainians. Their mothers and fathers did a bad job. Their extraordinarily infantile inability to resist psycho impulses practically makes them zombies. Maybe in the next round of life they’ll gain a little normal strength instead of being owned by pathetic evil.

That is pretty harsh, some of that may lie with their parents but most of it is probably due to a lack of better choices… The entire globe has been struggling the last 50 years and in reality probably forever to balance greed with incentive, power with rights, and survival with long term viability.

What it really looks like to me is the mirror of our own country, wasted opportunity and talent that could have gone to much better use.

Fascinating. The shipment & smuggling method used in 2006-2008 which I was buying counterfeit pharmaceutical products was identical. In that case they were grabbing free Chinese entertainment magazines in Shanghai and taping the pills inside the magazine in an identical way.

Several years ago a terrorism researcher working in my collection at the University of Kansas (Wilcox Collection on Contemporary Political Movements) and I had a long chat about how the government or private security contractors would go after their critics and whistleblowers and setting them up for crimes was discussed. This can be surprisingly easy in cases where the crime is possession of something, i.e., guns, dope or explosive components.

With the atmosphere of “total war” that floats around the counter-terrorism community and the lack of any kind of respect for civil liberties the government has evidenced I could see this developing into a trend. Even if a person gets exonerated the experience could be pretty frightening.

This case sounds so elaborate that discovery was almost certain. Should you ever determine who did this I would consider getting a lawyer and going after them.

I don’t think anyone has very good oversight with respect to private security contractors. Since terrorist incidents are their bread and butter I would wonder if someone in that community might try to set up a terrorism hoax, or quietly aid a real perpetrator. If you look at the FBI prosecutions over the last several years this is pretty much what the FBI has been doing all along.

In 1995 I published a report entitled “Crying Wolf: Hate Crime Hoaxes in America.” Keeping the issue of hate crimes ginned up a time when legislation was pending around the country was a significant motive. It helped groups raise money, built careers and established what might be called the Hate Crime Industry. The same is true with terrorism. Think in terms of game theory and always ask the question, “Who Profits?”

there’s a very interesting typo this guy makes in one of his sentences – “обещательно” instead of “обязательно”.

it is very interesting because the letter “щ”(“w”) is situated far away from “з”(“z”) on russian (and other cyrillic) keyboards.

However, it is a very common typo when:

– a transliteration program or site (such as translit.ru ) is used
– by someone who switches from qwerty to azerty (latin) keyboards or vice versa.

Of course, I have no certitude at all, but it looks like the guy

– is a native russian speaker
– but does not use a cyrillic keyboard
– which probably means he lives outside Russia
– and probably has an azerty (for instance, french) keyboard
– and probably used someone else’s computer (like in a cybercafé) with qwerty keyboard
– while writing that message
– or vice-versa (about keyboards)

stupido commento. have you seen russian keyborad? letter “щ”(english keyborad “O”) is situated right away from “з”(english keyboard “P”). that means he uses russian native keyboard. also that means you are dumb

What comes to mind, is some real threat of envelopes opening (and especially bags inside), as there might be “something” that one does not want to inhale, even in minute quantities (bacterial spores).
If these people wanted to try framing you, they could have come up with something else against you, in the same “run”.
…Dangerous.
P.S. You may also want to not even publish this comment, to not give any bad ideas to the readers.